From f4f79f103ea8ef7203d04a9f63b464e3fe45cbbc Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 25 Jun 2024 15:23:57 -0500 Subject: [PATCH 1/3] PYTHON-4388 Fix dist handling in SSDLC workflow --- .github/workflows/dist.yml | 6 ++++++ .github/workflows/release-python.yml | 9 +++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dist.yml b/.github/workflows/dist.yml index 8ac1d00a6b..7ec55dd3b3 100644 --- a/.github/workflows/dist.yml +++ b/.github/workflows/dist.yml @@ -10,6 +10,10 @@ on: workflow_dispatch: pull_request: workflow_call: + inputs: + ref: + required: true + type: string concurrency: group: dist-${{ github.ref }} @@ -44,6 +48,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + ref: ${{ inputs.ref }} - uses: actions/setup-python@v5 with: @@ -99,6 +104,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + ref: ${{ inputs.ref }} - uses: actions/setup-python@v5 with: diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 5643ee1e3c..785a434048 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -19,7 +19,7 @@ env: PRODUCT_NAME: PyMongo # Changes per branch SILK_ASSET_GROUP: mongodb-python-driver - EVERGREEN_PROJECT: mongodb-python-driver + EVERGREEN_PROJECT: mongo-python-driver defaults: run: @@ -32,6 +32,8 @@ jobs: permissions: id-token: write contents: write + outputs: + version: ${{ steps.pre-publish.outputs.version }} steps: - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 with: @@ -44,6 +46,7 @@ jobs: aws_secret_id: ${{ secrets.AWS_SECRET_ID }} artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2 + id: pre-publish with: version: ${{ inputs.version }} dry_run: ${{ inputs.dry_run }} @@ -51,12 +54,14 @@ jobs: build-dist: needs: [pre-publish] uses: ./.github/workflows/dist.yml + with: + ref: ${{ needs.pre-publish.outputs.version }} static-scan: needs: [pre-publish] uses: ./.github/workflows/codeql.yml with: - ref: ${{ github.ref }} + ref: ${{ needs.pre-publish.outputs.version }} publish: needs: [build-dist, static-scan] From 3adab5cccc86fe1234f60bdad316192eaf5f86f3 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 25 Jun 2024 16:43:58 -0500 Subject: [PATCH 2/3] add securit-events: write permission --- .github/workflows/release-python.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 785a434048..5feb0d1abf 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -60,6 +60,8 @@ jobs: static-scan: needs: [pre-publish] uses: ./.github/workflows/codeql.yml + permissions: + security-events: write with: ref: ${{ needs.pre-publish.outputs.version }} From 0b21337f0cfcce7c2b81da111f114ceb1beb296c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 25 Jun 2024 17:05:07 -0500 Subject: [PATCH 3/3] remove unused perm --- .github/workflows/codeql.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index abdd98b722..370b8759e6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,9 +26,6 @@ jobs: # required for all workflows security-events: write - # required to fetch internal or private CodeQL packs - packages: read - strategy: fail-fast: false matrix: